Tech Features

Without encryption, e-mail as secure as a postcard

Sep 7, 2008, 3:42 GMT

Bonn, Germany - It's fairly normal nowadays to install virus scanners on a computer and use a firewall when surfing the web to block possible attacks. So why is e-mail encryption still so uncommon?

Only about 5 per cent of users take steps to protect their e-mail from third parties, said Christopher Wolf of Bochum's Ruhr University, adding, it's a question of habit.

'If e-mail had been encrypted from the start, this would have never been an issue.'

But it has become controversial now that e-mails have essentially become digital postcards which can be read by anyone.

'Their contents are transmitted in plain text, after all,' says Wolf, who works as a scientific coordinator at the university's Horst Goertz Institute for Internet Technology Security.

Just about any 14-year-old can use software that lets him read his neighbour's e-mail messages sent over a wireless connection. E-mails can easily be read by providers or system administrators.

Encrypting e-mails is not difficult with the right program and there is no need for additional software.

'There are two standards for encrypting e-mail: OpenPGP and S/MIME,' says Michael Krauss of Germany's BSI Federal Office for Information Security and both are secure. The differences lie mainly in the way the computer user applies them.

BSI has based its GPG4Win program on OpenPGP. Users install the program on their PC so it can generate a private and a public key. Correspondents can share their public key openly via e-mail.

But to exchange e-mails, both parties need to have public and private keys. It sounds complicated, but all the necessary data can be transmitted with just a few mouse clicks. The only hitch: both parties need to be using a program like GPG4Win.

There are also expansions or plug-ins that make encryption even easier for the user. Users of the e-mail software program Thunderbird can use the Enigmail plug-in. It uses the OpenPGP standard and is incorporated into Thunderbird's on-screen layout.

'Enigmail is very simple to use,' says Wolf.

Encryption standards based on S/MIME have the advantage that they are already built into e-mail applications like Outlook. However, S/MIME does not rely on exchanging public key data between correspondents. Instead, it uses a digital certificate which can be created fairly easily in about 15 minutes. Thawte, a certification service, does that free of charge.

Freemail provider web.de also employs S/MIME encryption. But users do not have to worry about creating their own certificates, since both the key and the digital signature are automatically generated for all mailboxes. Users can opt for the encryption.

'Anyone who wants to receive encrypted e-mails has to first send the digital signature to all e-mail correspondents,' says Julian Kellermeier of Web.de's customer service. E-mail clients employing S/MIME integrate this digital signature, allowing them to encrypt their e-mails.

Private users do not generally have problems with encryption. However, it can lead to problems in business settings, since virus scanners and firewalls sometimes do not know how to react to the encrypted e-mails, says Krauss.

Apart from encryption, OpenPGP and S/MIME can also be used to create e-mail signatures, which can be used to verify the authenticity of e-mails.